Lessons from the Medibank breach: why data minimization matters
Watch RecordPoint CEO Anthony Woodward discuss the Medibank breach and legal action, and learn how data minimization could have reduced the effects of the breach
Last month, the OAIC announced it was pursuing civil penalty proceedings against Medibank for a 2022 data breach, to the tune of a proposed $21.5 trillion.
Watch RecordPoint CEO Anthony Woodward, Director of Transformation Catherine Shield and Principal Consultants Paula Smith and Mick Sowl as they discuss:
- What led up to the breach
- How the data was accessed
- Why the OAIC chose to pursue this case in particular
- How data minimization could have minimized the breach's impact
- The steps other organizations can take to reduce the impact of a breach
Watch the webinar now
Read the transcript
INTRO – ANTHONY:
Thanks for making the time to join today's webinar. We are going to begin the session now and thanks for making some time to get to join us. We did pre-record this webinar so we could get all of our experts across the globe together. And we do though have a whole bunch of people live to answer questions to take the chat.
We'd you ask if you can remove yourself mute yourself during session later on, you can ask questions over the audio. If you like, you can also put the questions in the question box, and during our Q+A session we'll definitely get to those. Today's presenters are going to be myself, I'm Anthony Woodwards. I'm the CEO. One of the founders here at RecordPoint.
Also have Paula Smith, the Principal Consultant at RecordPoint, Mick’s one of our Engagement Managers and Catherine Shield, who's the Director of Transformation. Why don't we dive to it and get underway?
[RECORDING STARTS]
ANTHONY:
Hello and welcome to the RecordPoint FILED Live event. Today we're focusing on some lessons from the Medibank breach: Why data minimization matters. I'm Anthony Woodward. I'm the CEO and one of the founders here at RecordPoint. And we have a very exciting. webinar today, really focusing on some of the key lessons from Medibank, but also a bunch of lessons from, the health sector in general.
So just to give you some context around the conversation today, we want to focus today initially on the Medibank breach, which, you know, was a very specific incident. There's been very well publicized that occurred in Australia and also had some impact on New Zealand. But because we've actually, as we've looked at the Medibank branch – and doing some research from this webinar – we've seen that there's actually a wider problem going on in the industry.
And we did want to touch on some of those industry concepts because there is a real timeliness to understanding what, what's causing this and what is a growing trend within the healthcare sector of really serious consequential breaches occurring to this kind of data. And so really that's very much the scope for the conversation today.
Medibank is a very important case study, but there's a lot more context for us to drill into. Talking about Medibank, to give you some context – and in a moment I want to hand over to one of my very learned and esteemed colleagues, Paula Smith, who's going to get into a bit of detail about Medibank and give you a lot more of the context.
The Medibank case is currently in front of the courts in Australia. So, we know that, and there's a rough timeline here on screen, there were particular events that occurred through the latter parts of 2022, and that's culminated in a civil litigation and a very serious penalty being applied to Medibank itself.
So ultimately, to give you the background before we step into it: Medibank became aware of an incident. They became aware somewhere in around the 25th of August through to October 13th, and they had traced that back to, a set of events that had happened internally. Some credentials have been stolen from a part of their supply chain.
A threat actor had come through those credentials into the system. And then that was identified as a high severity incident after around 520 gigabytes of data were extracted. There's been a follow up process since the Medibank notified the authorities and began an investigation of looking at what occurred.
And as a result of that follow up, there's now a set of civil litigation processes occurring around that. And the maximum possible fine as a result of that civil litigation process is $21.5 trillion. So it's a very serious incident with a lot of context, but for further details, I really want to hand over to Paula who is going to take you through that case in, in a bit more depth and really explain the intricacies of what's occurred at Medibank and, and what, what we could have done to, to think about different prevention techniques.
Thanks, Paula. Take it away.
PAULA:
Thanks Anthony. So, I guess a couple of things that we're going to go through today is, is to have a look at why the office of the Information Commissioner actually took the action against Medibank. So it is one of, one of the largest potential civil penalties is Anthony mentioning in his section.
So when the OAIC looked at this case, they looked at it against the Privacy Act and the potential breaches that had occurred. And they've determined that under that Privacy Act, there was serious, serious interference with the privacy of 9.7 million Australians. So in the determination that was made post their investigation, the assertion is that Medibank failed to take reasonable steps to protect that personal information from misuse and unauthorized access.
So it's a, it's a strong part of the Privacy Act. Any organization, obviously, that collects personal information and particularly in the health sector where there's a real trusted relationship here, the information that we have and that we provide to healthcare service providers is sensitive in its nature.
The number of people was 9.7 million, but the scale and the complexity of the information that was under the breach was also potentially harmful, not only to the individuals concerned, but also to their families. So if you think about some of the information, you're talking about mental health information, you're talking about really sensitive information around abortions, and operations and health related information.
That class of personal information is obviously of higher risk and higher value. And so the OAIC looked at both of those in that context, and then looking at what was potentially available under the legislation to issue the fine. Now Medibank isn't the first breach that we've seen. So we have seen breaches across the board from people like Canva, Latitude, Optus, etc.
And while the Privacy Act needs to be updated, and the Privacy Commission themselves has identified that, what they are seeing is an increase of these attacks. They're seeing an increase of breaches. So, in the second part of 2023, there were 483 notifiable breaches. That was up 19 percent on the first half of last year.
And those malicious and criminal attacks account for 67 percent of those data breaches. The personal information that we hold is very, very bad. Not only to the organizations who are legitimate, who want to provide services, but also, as Anthony said, to bad actors who want to use that personal information for, let's say, not so positive purposes, the health and finance sectors are the top reporters of those data breaches.
So when you combine the scale of the data breach itself and the complexity and the nature of information, you can understand why the Privacy Commissioner took this step.
So why, and what is, the OAIC trying to achieve with the penalty? So as Anthony said, under the legislation, it's 21.5 trillion Australian dollars in terms of possible penalty.
It's highly unlikely that's actually going to be the number and we already know that it's going to be quite a lot less than that, but it still will be a significant penalty. And we've seen drops in Medibank share price as a result of this action that the OAIC is taking. So there's three key objectives that the OIAC is trying to achieve here through the civil litigation that they now engage with Medibank.
So first of all, there has to be a stop for enterprises from committing what they consider to be egregious privacy violations. So as per the investigation that OAIC conducted, there was a determination that The organization didn't take reasonable steps to deal with the duties of care that it has to the personal information.
So, by a fine of this nature and this size, they're really hoping that enterprises take a much stronger view and a much more committed view to privacy related matters. There is obviously the need to put a stop to these data breaches themselves. So Optus last year, as I mentioned, Easton Health, there have been many others, but as I say, they are increasing and we're seeing that at the moment, year-on-year.
So we do need to stop those data breaches, because it is us at the end of the day that will suffer from that. And it is a need to emphasize the need for all Australian companies to comply with those privacy regulations. Historically, if you look back when the Privacy Act was first introduced, yes, it was seen as something that was yet another regulation, but I think the OAIC with this action has completely proven that they are serious about privacy.
We see these breaches happening all the time. We see the stories of people globally who have issues then getting credit, they have issues achieving promotions, they have issues getting any kind of service delivery. Once your personal data is stolen, it's very, very hard to get that back. So it's really important that the people that we engage with to deliver services to us are in compliance with privacy regulation and are looking after what we are giving to them under, again, that trusted relationship.
So hopefully, this will serve the OAIC well and ultimately it will serve customers well. But there are a couple of other examples that we're going to go over with you out of Australia. So I'm going to hand over to my learned colleague, Mick, who's going to take you through some more examples. Take it away, Mick.
MICK:
Thanks, Paula. Yeah. So as we've discussed so far, you know, the OAIC has really underscored the magnitude of the Medibank attack in Australia, but there are numerous healthcare data breaches that have occurred over the last couple of years that are not unique to Australia, and those really strive in the US and in Europe.
So we'll start by looking at one over in France. And this is an early in 2024 when two French health insurers, Viamedis and Almerys, reported a cyber attack that had impacts to over 33 million people. That's a lot – half the population of France as a whole. So far, they've stated that no medical history or treatment information has been breached or exposed, but social security numbers and other personally identifiable information was included in that breach.
Additionally, they believe that the breach occurred via a phishing attack on employees at Viamedis, and those credentials were then used to obtain access within both companies of that customer data. There is currently an open investigation being had by the National Commission on Informatics and Liberty, or the CNIL, which is a French government agency that handles all the regulations of personal data.
And so far, from what we can tell, the results of this investigation could lead to a fine of up to 20 million euros or 4% of Viamedis’ and Almerys’ global turnover, which is huge. And if we jump over now to the US, we'll start by talking about the United Healthcare breach.
In April of this year, UnitedHealthcare, which is the largest health insurer within the U.S., reported a breach. At this point, it is not known about the impacts or the size, but from the initial insights that we can tell: this is going to look to be one of the biggest breaches in data history within the U. S. We're talking up to one in every three Americans having an impact being felt when it comes to this data breach.
Additionally, it was seen that the way that this breach was exposed was via a server within United Healthcare System that was not utilizing MFA or multi-factor authentication. And another particularly concerning facet to this breach is based around the United Change Healthcare Unit. They process 50 percent of all medical claims.
That's about 15 billion transactions a year that occur. So even if you're not a direct customer of United Healthcare, that does not mean that your data could not have potentially been obtained during this breach, which is quite scary to think about. This breach was reported in April, it actually happened in February, and in that time, United Healthcare tried to pay a ransom payment of $22 million to the hacking group to mitigate any of this data being released. Unfortunately, they still have been able to see that some of that data has made it onto the web.
And if we jump on now to our OneTouchPoint, our next breach, this was in April of 2022. OneTouchPoint, who's a mailing and printer vendor who works alongside a number of large healthcare entities here in the US for a breach.
Initial thoughts were about 1 million people were going to be impacted off of this breach, but it's actually come to the attention that that's over doubled now to 2.6 million. Though this breach happened in April of 2022, it took till July of 2022 for OneTouchPoint to notify their users of this breach.
This resulted in a lot of criticism for their lack of response and acknowledgement of this issue two years on. And OneTouchPoint still doesn't know the entirety of what this data was stolen from their attack, nor do they know who took responsibility for this attack.
Another kind of key piece here to mention is that 34 associated health care providers were impacted by this. And just like the United Healthcare group case, we're seeing that a single breach into a single entity has ramifications to a number of other groups that tie alongside those entities. So these stretches are far stretching beyond just a single entry point when it comes to a data breach.
Now, if we look at the Shields Healthcare breach, this happened in March of 2023 Shields Healthcare is a Massachusetts based healthcare provider. In this case, we're talking 2 million individuals who had their information stolen. This information included social security numbers, medical diagnosis records and more.
And this is really a worst case scenario. I believe Paula touched on this earlier, we're talking about some of the most sensitive information that users have to themselves being obtained by another party, information you don't want to have shared. Very similar to the OneTouchPoint over a year later, and Shields Healthcare has yet to determine how the data was accessed, nor do they understand who has responsibility on this attack. They believe it was phishing related, but they have yet to determine what that cause was.
And then if we lastly look at the Health Equity breach that occurred, this was in March of this year of 2024 and it's impacting one of the largest U.S. health savings administrators. They found some irregular or anomalous behavior on one of their partner devices, which thus then led them to find and identify a data breach.
And again, similar to the Shields Healthcare breach, information that was taken was patient health assessment information, some very sensitive data. And up until this point well, the amount of data that those hackers have able to obtain or who took that information has yet to really been understood. I think if we take a moment to really reflect on some of these breaches, there are a few insights that we can look to take away with here.
So firstly, again, the impacts of these breaches, we, see these breaches are occurring to single entities within the healthcare sector, but the impacts and the implications of those are far stretching. Specifically, the health care industry has ties with a lot of organizations into different umbrellas.
So when one group is impacted, that has further downstream effects that implicate a lot of other groups within that. Additionally, I think another part to note is the frequency here. So we're seeing a number of attacks happen over these last couple of years. And this has really been an uptick from what we've seen previously.
I think it leads to show that the healthcare sector seems to be an easier target for these groups when it comes to identifying this information and being able to obtain it. And lastly, we look at time, and time is another factor. I don't think that organizations are looking at when it comes to this, a number of these.
Breaches that we spoke on today really give you an idea of: we're months to years past this initial breach happening and there's still a lack of understanding when it really comes to how much data was stolen or even what of the data was stolen. You know, and if we take a step back and we also look to consider some of the non-healthcare related breaches, the recent Ticketmaster, the CDK breach that occurred, you know, you are now potentially looking at the majority of Americans in the last year having some type of data being compromised into their systems.
And on a more personal note, as someone who received a letter last week from Ticketmaster, whose spouse received a letter, whose parents all received a letter that their data had been breached, I am personally eager to see how the public and the private sector is going to respond to this situation. Now I'd like to hand it over to my colleague, Catherine Shield, who will dive deeper into providing insight as to why healthcare is being targeted.
CATHERINE:
Thanks, Nick. You know, as noted, there's numerous examples that Mick has taken us through. So it's clear that the health insurance companies have become a prime target for these data breaches. And to reiterate on a few of those points, we can talk about the alarming trends and the several factors that really bleed into this.
So firstly, the value of the data that these companies are holding is immense. You know, health insurance databases contain extremely sensitive personal information. Both financial, but also medical histories. And both of these are highly valued on the black market for identity fraud, fraudulent billing, and medical identity theft, which can lead to unauthorized access to medical goods and services.
The high ransom potential of the sense of data cannot be overlooked. Healthcare data is critical, and the requirement to regain this data, and in some cases, in a very time sensitive manner, is paramount. Not to mention, these data leaks have immense safety impacts, and cause immense social anxiety for many of the affected patients.
Look, if that's not concerning enough, the interconnected nature of these healthcare systems means that just one breach in one area can have such far reaching consequences and health insurance companies often share data with hospitals, pharmacies, other healthcare providers, but even financial institutes.
So this can lead to a widespread exposure, even if one entity's defenses are compromised, it really is a web where we rely on every organization to be holding their part and their accountability. This vulnerability is often compounded by just a sheer amount of data that's being handled day to day within each organization, but also what's being shared between it. It's thousands and millions of transactions every single day.
Now the rapid necessity to digitally transform a healthcare industry, especially what we've seen during COVID, has led to a hasty implementation of data solutions and not always have created adequate security considerations. I think that's led to further available attack services to these cybercriminals.
If we take a look at the financial services space, you know, we know that we have laws like Australia's CPS 234, and US FISMA data regulations, but we don't see the same level of maturity yet that's meeting these data obligations in the healthcare industry. And we really feel that this leaves a significant gap in protection to patients and consumers.
Now, let's review a few of the common mistakes that we can see on the slides here that undermine our security efforts. Firstly, many organizations actually don't know what data they have or how it's being used. This oversight makes it really difficult to protect information effectively. How can you know what protection measures to put in place when you don't know what data you have?
And that leads on to the lax access controls. This allows unauthorized individuals to access the sensitive data. Once again, you don't know what information you have, you don't know what access controls you even need to apply. Third, the absence of multi-factor authentication. It's a critical oversight.
Yet a simple, effective measure just to enhance security by requiring a second form of verification means that we can feel more confident that the person who's been assigned to access the data really is that individual.
Now, finally, one of the really big ones is talking about excess data retention. Know, keeping more data than necessary increases the likelihood of not just the risk, but also the severity of these breaches.
And as we've seen in Medibank, each breach has a fine. And if you've got all these elements of excess data, that really compounds.
And now that's why data minimization is a critical activity that organizations really need to strongly consider. Which I'll just let Anthony take us through in more detail.
ANTHONY:
Thanks, Catherine. Look, what we have on the screen is what we call the RecordPoint Quadratic Data Equation™. Really, if you build on what's happened at Medibank and then what has continued to happen in the, in the case studies that Mick has taken us through from around the globe, there is a real need to look at how we prevent these activities from happening.
And yes, we completely at RecordPoint understand that security and access is a factor in this, but also a factor in this is data and how you apply the quadratic control to that data.
So why does minimization matter? Why does it really matter to think about the data you're holding? So as Catherine said earlier, the inventory or the understanding of that data, and then being able to ensure that you're able to meet the key elements of the control here.
So it's a fairly simple equation. Data breaches, breaches are going to happen. Those access control elements are going to occur no matter how well you construct the firewall. And so you need to look not just at the fence of the farm, but you also need to look at what you're growing on the farm and how growing it can be aligned to the minimization we want to occur.
So firstly, it is about less data. And less data, better organized. And so there is a, you know, we really at RecordPoint want you to think about what the implications of that. As we've already said, with the 9 million Australians data that was exposed in the Medibank attack the, you know, we, that would have been lessened.
And we, there is substantial evidence of that in, in the case before the courts, if minimization had, had happened. You don't need to just rely on security controls, you can also rely on the management of the estate within this equation. Ultimately, smaller pieces of data equals a reduction in loss, which equals a smaller fine to this incident occur.
It means you're going to have better trust with your stakeholders. And we really, you know, think that as a, as a community and a set of people that are focused in this area, that this is one of the key attributes that have been missing in each of the case studies that we've highlighted. I'd like to hand back to Catherine to probably dive a little deeper into, into those controls.
And Catherine, give us a little bit more of that landscape and understanding of how you approach these issues.
CATHERINE:
I think the first thing we need to consider is, you know, data breaches is no longer a question of if, but when. So organizations really need to consider how can we actually minimize this risk as Anthony was saying.
Now, let's touch on the two key categories of cyber security measures.
Now, cybersecurity is governance controls and technology controls. You know, in order for an organization to create a smaller attack surface, both of these categories need to be taken into consideration in tandem. You can't just solve for one and not the other and expect there to be, you know, a safeguard for your data.
Now, let's go into governance controls first. I feel like this is a very important part of the cybersecurity policies that we see in an organization, which are essential. First and foremost, let's talk about data security maturity models. Now, these are pivotal. These models help organizations evaluate the current security posture and identify areas for improvement.
It's essential that we align these models against our local regulations. Now, as we've mentioned, firstly, it's about identifying what data you have and then how we take care of it and how we minimize it. So looking at risk management and mitigation, we can identify potential threats and vulnerabilities and organizations can implement measures to mitigate these risks that can become, you know, significantly less issues if we do this ahead of time.
As part of this incident response plan enables a swift action in the event of a breach, just to minimize those damages, but also to restore operations quickly. Remember we're in the healthcare space, and that means that timely operations is key. Some patients need their data accessed immediately for the procedures to occur.
Now, touching quickly back on data minimization again, because that is really important. Data lifecycle management policies, including retention and disposal schedules, ensure that data is not only kept as long as necessary, but also disposed securely when not required. In addition to this, responsible data handling procedures and non-negotiables.
For example, not using customer data in a non, not using customer data in a non-production environment or ensuring non-production environments have the same level of security controls. We see production environments use multi-factor authentication to make sure that they are secure, but we don't seem to see the same level of security controls in non-production.
And it really makes you question why. Know in alignment to this, it's really about supporting responsible data handling and having that security awareness and training is fundamental. I'm going to that training programs help build a security-aware culture within each organization. Employees don't want to leak data, but they need to also be empowered to know how to recognize and respond to threats effectively.
Now, finally, It's wonderful and all to have all these controls in place, but you can't relax just yet. You know, if you're not auditing these controls consistently, then you're not going to know if the measures are effectively working or if you need to adjust them as the landscape changes. So flicking over to technology controls, this is a little bit shorter.
So firstly, you know, we're looking at network. It's one of the foundations of our defenses and end-to-end encryption is the most important, absolutely critical. That's essentially securing the data from origin point to its destination. This covers encryption of sensitive data, both in transit, but also at rest.
And so that's about data moving, say between networks and applications within an organization, but again, across organizations. Now we know healthcare providers work with so many different other companies and organizations. So are we making sure that those controls are in place for that data movement?
Secondly, organizations need to regulate who can access this information. And now that is technically a governance control, but we need the technology to back that up. No, seeing that we have role-based access control, limiting that access based on the user's role in the organization and ensuring that only authorized personnel can view, but also modify data and leading onto that, you know, multi-factor authentication, adding that extra layer of security.
It's just an additional step, but what it does is provide an additional form of verification. It makes it significantly harder for unauthorized users to access the data.
Now, finally, I'll let Anthony take us through how intelligent data management platform can take us further and help manage and secure data effectively.
ANTHONY:
Yeah. Thank you, Catherine. And look we've been investing considerably here at RecordPoint to respond to these sorts of scenarios. So, we and although, we've used very much the conversation today around healthcare, these problems exist across the board, the landscape. So no matter what industry you're in, we could have, in fact, focused on five case studies from your industry.
Now healthcare, healthcare is the most interesting because it has such an implication on everybody in society. And, and there are some, some key statistics I want to give you at the end of this conversation, but the within RecordPoint, we have focused very heavily on this problem and we work very closely with our customers globally to ensure that they are prepared, organized, and in a position where it is defendable should this occur. And, and the reality is it is going to occur. The what we have seen in the healthcare sector and what we're seeing in other sectors is: everybody is vulnerable to these attacks and no matter how well you've constructed your, your walls and fences and firewalls, it's going to happen.
So really, in the core capabilities that we have focused on thinking about automated data discovery, that automated data inventory, being able to automatically apply retention controls and manage that data and understand what is redundant, obsolete, trivial data that should be removed from the enterprise immediately and having the tooling to do that.
Having enterprise-grade capabilities to apply RBAC. So that fine-grained access control that's applied to data that is data-centric, not person-centric, data centric, and then assuring that that aligns again to the retention controls, really giving you the enterprise visibility into what's occurring within your data estate so that you can react and action that data across, across the different processes you're going to have. Whether that's a test environment, production environment, as Catherine spoke about, or potentially even a supply chain environment that you are a third-party contributor to. So you've got that understanding of what's occurring, that you can automate your governance, that you can provide context and awareness to the governance controls in your policy plan, and then automate that within tooling.
And then underneath that, ensuring that you're taking advantage of the latest technologies, be that. So, you know, applying the policies, a series of rules or using AI large language models, that real powerful capabilities to manage this data en masse.
And then lastly, being able to interrogate the data, to look for intelligence and the types of signals, where is the personal information, what systems does it exist in and not confining the whole scope of these capability to just structured data systems.
This is not just documents we're talking about. It is both structured and unstructured databases, applications like Workday, Google, et cetera. Why do we, why do we do this and what are we saying with our customers?
Well, if you come back again to the health sector and what's occurring and has occurred in the health sector, I want to throw some statistics out to you and we have seen instances whereby having these better data management controls, you can deal with some of the issues. Probably the first and most shocking to me was that a study from the University of Minnesota's School of Public Health has estimated about 42 to 62 patients have died as a result in the US of these data breaches.
This is a directly attributable deaths as a result of data. It's a shocking statistic that because these systems weren't in place you know, people unfortunately have passed away. And, and it's something really, I think we need to crystallize how important thinking about these things and, and these processes are.
If you want to take that further down here's some statistics over the last few years. In 2021 it's estimated in the HIPAA journal that there was about 45 million Americans impacted by data being breached in these kinds of operations. 45 million, not a large amount of a country of 350 million odd plus people.
As we get to 2022, that statistic went up to 51 million records being breached, 51 million individuals. But what was most shocking, all as I looked through that data, was in 2023, 133 million individuals were impacted by the breaches. You can see the exponential change that's occurring here in these style of breaches.
And this is just in the health sector. We know, as Mick highlighted before, that this is happening in, you know, the in all sorts of sectors, much like the story spoke about for himself in Ticketmaster and other breaches that have occurred, I personally was impacted by the Medisecure impact.
We didn't talk about it here, but it's another breach. But a prescription provider, an online e-prescription provider in Australia, had a cyber incident, which in fact is still ongoing. It occurred in November, 2023, and the, it is still being understood what occurred, but the information out there is that probably about half of the Australian population had some form of prescription in this provider that leaked out.
So these are real world incidents that can be managed, that can have better controls that are occurring out there in the landscape.
And so with that we'd love to open for some questions now. And we will try to answer the questions you might have, and we thank you very much for listening to us all.
Q+A – ANTHONY:
Great. Well, thank you all for following along. And there's some great questions, both popping up in the chat and in the questions area. If you'd like to ask a question, it's just there on the right hand side. There's a question box, pop it into the questionnaire and the team's also replying to those in the chat as well.
We've had, as I said, a couple of questions have come in. So just working off the first question:
Q: Who are the cyber criminals behind these attacks? And can they be stopped in the first place?
A: It's a great question and it's a very valid piece of – you know, very valid – of what's occurring here.
Look, there is certainly – and I'm not an expert to talk necessarily about the federal police and Interpol and other people that are doing these things – but we've certainly seen in the Medibank attack, some of the folks being found and in fact, being extradited as a result of that.
So, you know, it is possible. Can they be stopped in the first place? I think that is difficult. The reality is that we are in a zone of these cyber attacks are real. It’s very easy for organized individuals to continue to attack these ways and, let's be, let's be quite honest, the infrastructure and the processes we need inside organizations is not resilient yet.
And that's why we're having these conversations about data. But great question. Thank you very much. The second question in the chat, and also a great question:
Q: During the session, you mentioned that organizations are not having a clear understanding of their data, which can exacerbate, exacerbate the effects of the breach. Can you explain that in a bit more detail?
A: What a great question. Thank you, Scott. It's absolutely true that the organizations that we talked about, and even some of those academic studies we referenced, were coming from a place where they didn't fully understand the entirety of the data out there.
So in order to vector in on what, you know: if you think about the scenarios where an attacker wants to go ahead and breach and find information, you know, very quickly go and gather that information up because at the end of the day, they're looking for things of value that they can use. You're not having a mapping of where that is and where those risk points are has proven to be quite a common downfall that we're seeing across these cases.
Because then you're not able to put the processes and procedures in place to protect the key elements of data that need protection. And that, you know, really again, that's a big callout from the webinar here. That we need to think about this from a data centricity perspective, not just from a firewall and a network centricity perspective.
Q: Another great question here, um, around what other industries do you think might be attractive to targets and, you know, such as cyber criminals? And where, where do you think this goes over the next few years?
A: Really great question. And, and it's true, you know, we focus today. On a lot of the health care vectors, particularly Medibank and the pattern there.
But this, we're really seeing, these sort of attacks and this sort of information troll, expanding out into other areas. You know, classic, we've probably all seen in the news, the AT&T attack in the last few days, or at least the public acknowledgement of the attack.
You know, we're really seeing in the telecommunications industry, that next level where people are looking for data and for places to hunt data through that process. And it's certainly a pattern that it's not just healthcare data. Obviously, healthcare data is very rich in terms of information about individuals, but there are plenty of other places that that exist for the cyber attackers to.
The cyber criminals to actually go get. So we're seeing that pattern, healthcare, telecommunications, financial services and beyond, you know, government sector. There's been a number of attacks and public acknowledgements, you know, here in Australia of places where government also has been exposed.
Q: Next question and another really great deep question. Why isn't the legislation out there enough to protect Australians and Australian health data, or Americans and American health data.
Well, the reality is the attackers don't care. Firstly, those cyber criminals are criminals for a reason. They're really looking for how they can monetize this data and how they can make it effective for themselves. And secondly, the legislation is still catching up on these processes. I saw something in the chat mentioning before, you know, with these large data sets. Is it not the case that we're, you know, that we're going to see, legislation applied.
And I think it's true that we are going to see more legislation and more requirements for the kinds of things we're talking about. But at the end of the day you know, the fines aren't yet big enough. There isn't enough processes going through. And if you look at the Australian landscape, one of the drivers behind the new privacy legislation in particular is to really put some teeth into this, put some substance into these kind of breaches and deal with them as we roll forward.
So you know, really great question there and some other pieces to it. There's another question here.
Q: Can you repeat what you said about the deaths, you know, being caused by these attacks? And I missed that, from someone.
Well, the study – and I'm happy, we will post it out with you for you to take a look at – with the Minnesota Public Health at the University of Minnesota in the US has directly attributed the particular cybercriminal activities and the breaches for those activities (and in some cases that was ransomware), which locked people out of files, in some cases that were actually leaking information. Then people being hesitant to share further details because of the opportunity of further leakage occurring and then being barred from health insurance and all those things that come downstream.
So there are these directly attributable pieces in the study and you know, it's not my data. It's, it's certainly the data from, from the University, where they've looked at this in some detail. I'm happy again to share that.
Q: And then, you know, a question there about the proposed reforms to the Australian Privacy Act, you know, and if they go ahead, do you think that do we think those will provide adequate protection to consumers and health data?
A: Look, I think it's a step in the journey. I'm not sure...adequate is probably a loaded word. It will be down to the observer. There's certainly more teeth and more realization of the importance of an effective piece of legislation to protect personal data in Australia.
And I think the proposed reforms certainly go down some of that distance. It will have to be seen in court, whether it's adequate, you know, are the courts willing to impose fines that really mean there are some teeth to these pieces of legislation and that we can see people really think about the absolute impact of their data, and how those things work.
Q: The [next] question from Kathy Lavender, and thank you, Kathy. In some sectors, the fines imposed to companies are also imposed to are also imposed to an individual employee if they found if they find liable for the cause of the breach, is this something that we might see?
We might see, [that] occur or when we're more strict with person when dealing with personal data. Look, I think that's absolutely correct that at this stage, the fines are really targeted on the companies, but also the new privacy legislation in Australia has hinted at the notion of applying fines to board members, not necessarily to individual employees. You know, I think that's something that we may seem downstream, but at this stage, there's no individual onus in the act, but certainly companies need to have the operating controls and be in a place where they can monitor the individuals effectively.
Q: Had another great question from Neil McKinnon. I'm wondering how many attendees in a position to apply successful pressure to those decision makers to make them realize the value of the data and the importance of data immunization and data life cycle.
Certainly I'll answer that from a RecordPoint perspective and let the rest of the audience answer that in the chat. We are certainly seeing boards come to a realization of just how important it is to go ahead and think about these issues. We are talking consistently with fairly big organizations and, and their boards, about what the risk is, and what the value of this data is, and what we need to think about in terms of data minimization. I think we've seen that change occur in the industry, you know, albeit slowly, and there's probably a lot further to go.
But there's a real awakening of how important it is to think about these things more holistically than just how big events should be put up.
Q: We had another question from Bonnie. Bonnie asked, with data minimization, how can we change the mindset of staff to better collect the data, just in case we need it, for the future as to not inconvenience the customer, especially with the sensitive nature?
A: Really great question, Bonnie, and this is the reality of where people are at. That they are keen to be more effective at servicing their customer. Nobody's deliberately going out to, collect data and leave it there and expose the organization to additional risk in the real world. Folks are looking at how do I, you know, service people do it faster next time, not inconvenience the customer.
I think that's the key is though, organizations need to be able to not just change the mindset of the staff, but change the mindset to what is the use of data that's necessary. It really doesn't make sense to keep a driver's license number. Once you've verified that driver's license, you can keep a record of the verification event. You can keep a token that proves that verification event occurred, without keeping that driver's license number. And I think it's just rethinking why we're capturing the data and what its use is because we can actually capture it in a way that it's reusable in the future, not going into inconvenience customers, but not also collect that sensitive data such that it is going to cause these downstream pieces of harm.
And that really comes to the data pruning processes and the data minimization processes that we talked about during the webinar today.
Q: We had another great question from Christine on implementing data minimization. Is it best to start looking at what data you have and removing what is surplus to retention periods or surplus to your needs?
Great question Christine, and you're spot on. Now, I think the thing that we, if you're talking about this from a true information governance perspective, and what are our thoughts about that?
Information governance traditionally has thought about deleting whole pockets of data, be that a document, an Excel spreadsheet or a component from a database. What we're actually saying is retention potentially can be and should be a little more nuanced. So what are you going to prune from your data? It's not just about being surplus in terms of, “I have a Word document, it has a credit card number in it, I'll delete the whole Word document.” It's possible that word document represents a contract and that contract has to be kept for another 20 years.
But what we can do is prune out the credit card number. We've already built the customer, we don't need to keep the credit card number. We've already gotten the income from it. We're now just servicing the contract. So there are ways to look at this at a more fine grain level, and the technology will help us with this and make sure that we're not just taking those retention periods and thinking about surplus data, not just surplus data maps to retention periods.
And this is a little bit more fine grained control, but it is something to implement via the controls that you can have.
Q: Also from Christy. Another great question: I find our organization, the resources are being directed into cybersecurity and information assurance activities, such a risk assessments and I'm not and are not particularly valued. Instead, risk assessments being seen as blockers to staff getting and doing things.
That is correct. And this is a really common thing, a conversation that we see at RecordPoint and completely understand the blockage there, Christy. Oh, Kirstie, sorry. You know, in our organization in organizations, cybersecurity is often being funded heavily, but we are seeing this change occur where the cyber security folk is starting to understand that information assurance and risk mitigation of that information is in fact a key cybersecurity enabler.
There are a number of new cybersecurity standards that actually branch into this field, and we will send some out along with the webinar today to give you some of that context.
But there are ways to really morph that conversation. Where this becomes a component of cybersecurity so that you can connect those resources that are being poured in that direction to ensure that we're managing the data. And we're also doing it in a way that we're not blocking staff getting on with what they need to do.
This can be a very background activity. And really incorporating that process there and another another question there, around how to think about things.
Q: How do you influence decision makers through that process?
As I said earlier, I think it is about integrating into the cyber program, becoming connected to the CISO and talking about the impact of data pruning.
Dating minimization and data retention and bringing these things together so that you've got the value around managing that data effectively. And therefore you're able to better influence the decision-makers by bringing that with the cybersecurity folk, and we're seeing that happen quite a lot.
Q: There's another note there, around the culture problem and [the question is] how do senior executives connect with taking privacy very seamlessly and seriously?
I think, again, that links to the previous question, but is very much around, we see the new legislation happening: There are real penalties. You look at what happened with [Medibank], you look at the size of that fine. It is eye watering now, as we said in the webinar, it's unlikely the entire fine is going to be applied, but some portion of absolutely is. And I think what we are seeing as we speak to the senior executives, and you speak to board members, is there is a large realization that in order to be effective as an organization and a good corporate citizen, we have to think about privacy.
We have to think about how we're managing our data, and we have to actually put the controls in place to deal with this in a very serious way.
And I think that is the last question in the queue. Um, I really appreciate everybody's attention. If there are any other questions, feel free to reach out to RecordPoint.
There will be contact information when we send out the webinar and the recording. Thank you very much for attending today. We appreciate your time and thank you very much for listening in.
.png)
